Conference:  Global AppSec San Francisco 2022

Authors: Andrew Krug, Ellen Wang

2022-11-18

Software packages are a juicy target for attackers to compromise. They allow malicious actors to access machines and production environments to steal sensitive data, or perform cryptojacking. In the last few months alone, multiple malicious Python packages have been reported to steal credentials from their victims and were subsequently removed. In the worst case, these packages are an attractive target for advanced threat actors to gain access to victims to steal intellectual property or carry out nation state objectives, as seen in CodeCov and SUNBURST.What makes a “bad” package? How can we identify software packages that look malicious? In this talk, we start by showcasing some real-world malicious Pypi packages and the techniques they use to spread and execute code in victims’ environments. We then discuss how we use Semgrep, a static analysis tool designed for vulnerability detection, to scan the source code of Pypi packages and identify suspicious patterns characteristic of malware. Finally, we demonstrate the concept by dissecting malicious Pypi packages we found in the wild.Introduction- Explanation of SLSA threat model with focus on dependency- Short history of malicious Pypi packages - Why it’s a real problem, mention that most existing tools look for previously detected malware and cannot identify never-before-seen malicious software- Problem statement: How to identify malicious packages at scale?Techniques used by Pypi malware (with illustration with real-world examples)- Quick explanation of data analyzed to find techniques: 30-40 PyPI packages removed from PyPI- Explanation of most common patterns found in malware:- Initial access: typosquatting, compromising the maintainer account, compromising the maintainer email domain- Execution: Using a setup script, hooking a function, evaluating dynamic code- Exfiltration: Using url shorteners, stealing environment variables, using an unusual domain extension- Goal: cryptomining, stealing credentialsWriting Semgrep rules to catch malicious Pypi packages:- Quick intro to Semgrep (30s)- Semgrep taint analysis mode- Explanation of detection heuristics created:- Execution of base64-encoded strings- Exfiltration over HTTP of sensitive information- Download and execution of an executable file- Executing commands in setup.py- Putting it all together in a CLI- Results overview: real-world malicious packages we caught and false positive rateConclusion- Brief summary- Future work: Running it at scale and continuously in AWS Lambda

Conference:  Cloud Native SecurityCon North America 2022

Authors: Diego Rodriguez-Losada Gonzalez

2022-10-24

Diego Rodriguez shares how Conan.io, an open-source package manager for C and C++, has managed to maintain supply chain security despite its wide reception.

• Conan.io is an open-source package manager for C and C++ that has over 11 million binaries built by user-submitted recipes.
• Despite its wide reception, Conan.io has had 0 security incidents since its inception.
• Conan.io utilizes automated quality checks, compiler security mitigations, package signing, a secure build pipeline, and an extremely strict and efficient review process to maintain supply chain security.
• Diego Rodriguez and his team have received over 9000 pull requests in the last two years and have a dedicated team of 10 people sponsored by jfrog as maintainers of the Conan project.
• Conan.io is becoming an important piece in the C++ ecosystem and needs to be secure.

Conference:  CloudOpen 2022

Authors: Jaehyun Sim

2022-06-23

The presentation discusses the challenges faced in managing a Python Package Index (PyPI) server in a cloud-native environment and explores different options for hosting a PyPI server.

• The speaker discusses the challenges of managing a PyPI server in a cloud-native environment
• The speaker explores different options for hosting a PyPI server, including public PyPI, self-hosted PyPI, and cloud-based PyPI solutions
• The speaker emphasizes the importance of portability, security, resiliency, and speed in a PyPI hosting solution
• The speaker shares an anecdote about the challenges of managing a tangled codebase with embedded machine learning models in multiple services
• The speaker suggests separating the machine learning model portion of the codebase into different repositories and managing them separately as packages in a PyPI server